Method of generating a chaos-based pseudo-random sequence and a hardware generator of chaos-based pseudo random bit sequences

ABSTRACT

A method for generating cryptographically secure (or unpredictable) pseudo-random numbers uses simple functions whose inverse is not a well-defined function and has a large number of branches, although the inverse could be easily computed on each particular branch. In this way the sequence of numbers is practically unpredictable and at the same time may be generated using very simple functions. A generator of such a pseudo-random bit sequence comprises circuit means for storing bit strings representing integer numbers of the pseudo-random sequence; a shift register coupled to the circuit means; a command circuit generating shift commands for the shift register; second circuit means for storing the bits output by the shift register; an adder modulo  2  summing the bits stored in the second circuit means, generating a bit of the chaos-based pseudo-random bit sequence; a second adder summing up the bit strings currently stored in the shift register and in the first circuit means, generating a bit string representing a successive number of the pseudo-random sequence.

PRIORITY CLAIM

[0001] This application claims priority from European patent applicationNo. 02425689.3, filed Nov. 12, 2002, which is incorporated herein byreference.

TECHNICAL FIELD

[0002] The present invention relates generally to the generation ofpseudo random numbers, and in particular to a method for generating asequence of chaos-based pseudo random numbers and a relative hardwareimplementation thereof.

BACKGROUND

[0003] Pseudo-random number generators (PRNG) are useful in everyapplications that use Monte Carlo methods and also in cryptography [1].PRNGs are algorithms implemented on finite-state machines for generatingsequences of numbers which appear random-like under many aspects. Thesesequences are necessarily periodic but their periods are very long, theypass many statistical tests, and they may be easily implemented withsimple and fast software routines.

[0004] Chaotic systems may be used either in cryptography (see[2Xkira2001]) and in generating pseudo-random numbers. For example, in aseries of papers [3], a chaos derived pseudo-random number generator hasbeen proposed. It has been numerically observed that the average cycleand transient lengths grow exponentially with the precision ofimplementation, and from this fact it has been deduced that usinghigh-precision arithmetic it is possible to obtain PRNGs which are stillof cryptographic interest. The usual statistical tests applied to PRNGsfor use in Monte Carlo simulations are generally simple.

[0005] In cryptography, PRNG should not only have good statisticalproperties, but also be “cryptographically secure”, i.e., given asequence of pseudo random bits it should be impossible to predict thenext number of the sequence with a probability much greater than ½. Forthis reason, PRNGs suitable for cryptographic applications must pass thenext-bit test.

[0006] The actual cryptographically secure PRNGs are not computationallyefficient. Then they are used only for highly critical off-lineoperations, while for on-line tasks (like stream ciphers) fast but notcryptographically secure PRNGs are employed. The drawback of this factis that stream ciphers can be attacked by exploiting the weakness oftheir PRNGs.

[0007] Statistical properties of binary sequences generated by class ofergodic maps with some symmetrical properties are discussed in [4]. Theauthors derived a sufficient condition for this class of maps to producea sequence of independent and identically distributed binary randomvariables. However, the implementation of these maps on finite-statemachines and the consequence this implementation may have on therandomness of the generated sequences have not been discussed.

[0008] For a better comprehension of a possible field of application ofthe invention, a brief introduction to the basic concepts ofpseudo-random bit generations is provided, according to the approach of[1] (see also [5]).

[0009] Definition 1 A (truly) random bit generator is a device whichoutputs a sequence of statistically independent and unbiased binarydigits.

[0010] A random bit generator can be used to generate random numbers.For a chaos-based generator of truly random bits see [6].

[0011] Definition 2 A pseudo-random bit generator (PRBG) is adeterministic algorithm which, given a truly random binary sequence oflength k, outputs a binary sequence of length l>>k which “appears” to berandom. The input of the PRBG is called the seed, while the output ofthe PRBG is called a pseudo-random bit sequence.

[0012] Definition 3 A pseudo-random bit generator is said to pass allpolynomial-time statistical tests if no polynomial-time algorithm cancorrectly distinguish between an output sequence of the generator and atruly random sequence of the same length with probability significantlygreater than ½.

[0013] Definition 4 A pseudo-random bit generator is said to pass thenext-bit test if there is no polynomial-time algorithm which, on inputof the first I bits of an output sequence s, can predict the (I+1 )stbit of s with probability significantly greater than ½.

[0014] In this case a PRBG is said unpredictable.

[0015] Theorem 1 A pseudo-random bit generator passes the next-bit testif and only if it passes all polynomial-time statistical tests.

[0016] Definition 5 Let G={G_(n), n≧1} be an ensemble of generators,with G_(n):{0,1,}^(n)→{0,1}^(p(n)), where p(*) is a polynomialsatisfying n+1≦p(n)≦n^(c)+c for some fixed integer c. We say that G is acryptographically secure pseudo-random bit generator if

[0017] There is a deterministic polynomial-time algorithm that on inputof any n-bit string outputs a string of length p(n).

[0018] For sufficiently large n, the generator G_(n) passes the next-bittest.

[0019] All above definitions and the theorem are informal. For a formaldefinition of statistical test (definition 3), see Yao [7]. The notionof a cryptographically secure pseudo-random bit generator was introducedby Blum and Micali [8]. The theorem 1 (universality of the next-bittest) is due to Yao [7].

[0020] The last three definitions above are given incomplexity-theoretic terms and are asymptotic in nature because thenotion of “polynomial-time” is meaningful for asymptotically largeinputs only. Therefore, the security results for a particular family ofPRBGs are only an indirect indication about the security of individualmembers.

[0021] Blum and Micali [8] presented the following construction ofcryptographically secure PRBG. Let D be a finite set, and let f: D→D bea permutation that can be efficiently computed. Let B: D→{0,1} be aBoolean predicate with the property that B(x) is hard to compute givenonly xεD, however, B(x) can be efficiently computed given y=f¹(x). Theoutput sequence z₁, z₂, . . . , z_(I) corresponding to the seed x₀εED isobtained by computing x_(i)=f(x_(i−1)), z_(i)=B(x_(i)), for 1≦i≦I.

[0022] Blum and Micali [8] proposed the first concrete instance ofcryptographically secure PRBG. Let p be a large prime. DefineD=Z_(p)*={1, 2, . . . , p−1} and α a generator of Z_(p)*. The functionf: D→D is defined by f(x)=α^(x) mod p. The function B: D→{0,1} isdefined by B(x)=1 if 0≦log_(α)x≦(p−1)/2 and B(x)=0 if log_(α)x≧(p−1)/2.Assuming the intractability of the discrete logarithm problem in Z_(p)*,the Blum-Micali generator was proven to satisfy the next-bit test. Otherexamples of cryptographically secure PRBGs are RSA generator [9] andBlum-Blum-Shub generator [10].

[0023] Linear Congruential Generators

[0024] A linear congruential generator produces a pseudo-random sequenceof numbers x₁, x₂, . . . according to the linear recurrence

x _(n)=(ax _(n−1) +b)mod m, n≧1

[0025] Integers a, b and m are parameters which characterize thegenerator, while x₀ is the seed. Generators of this form are widely usedin Monte Carlo methods, taking x_(i)/m to simulate uniform draws on [0,1].

[0026] For a study of linear congruential generators, see Knuth [11].Plumstead [12] and Boyar [13] showed how to predict the output sequenceof a linear congruential generator given only a few elements of theoutput sequence, and when the parameters a, b, and m of the generatorare unknown. Boyar [13] extended her methods and showed that linearmultivariate congruential generators,

x _(n)=(a ₁ x _(n−1) +a ₂ x _(n−2) + . . . +a ₁ x _(n−1))mod m

[0027] and quadratic congruential generators,

x _(n)=(ax _(n−1) ² +bx _(n−1) +c)mod m

[0028] are cryptographically insecure. Krawczyk [14] showed how theoutput of any multivariate polynomial generator can be efficientlypredicted. A truncated linear congruential generator is one where afraction of the least significant bits of x_(i) are discarded. Frieze etal. [15] showed that these generators can be efficiently predicted ifthe parameters a, b, and m are known. Stern [16] extended this method tothe case where only m is known. Boyar [17] presented an efficientalgorithm for predicting linear congruential generators when O(log logm) bits are discarded, and the parameters are unknown.

[0029] No efficient prediction algorithms are known for truncatedmultivariate polynomial congruential generators.

SUMMARY

[0030] In one embodiment of the invention, a method of generating asequence of a chaos-based pseudo-random numbers and a hardwarepseudo-random bit generator are relatively easy to realize. The sequenceof numbers is practically unpredictable and at the same time may begenerated using very simple functions.

[0031] The known methods of generating cryptographically secure (orunpredictable) pseudo-random numbers are based on the use of complicatedfunctions whose inverse is well-defined but is hard to compute.According to the common knowledge this is necessary, because otherwiseit would be easy to predict the numbers of a pseudo-random sequence.

[0032] As a consequence, known methods are relatively slow and hardwaregenerators that implement them have a quite complex architecture.

[0033] On the contrary, a method according to an embodiment of theinvention comprises generating pseudo-random numbers by using simplefunctions, but their inverses are not a well-defined function and have alarge number of branches, although the inverse might be easily computedon each particular branch.

[0034] More precisely, one embodiment of the present invention is amethod for generating a chaos-based pseudo-random sequence comprisingthe steps of:

[0035] defining a chaotic map for generating a pseudo-random sequence ofinteger numbers comprised in a certain interval;

[0036] defining a function on the first interval whose inverse has aplurality of branches;

[0037] choosing a seed of the pseudo-random sequence of integer numberscomprised in the interval;

[0038] generating numbers of the pseudo-random sequence;

[0039] calculating numbers of a chaos-based pseudo-random sequence byapplying the function to corresponding integer numbers of thepseudo-random sequence.

[0040] This method is preferably used for generating chaos-basedpseudo-random bit sequences and may be implemented in a hardwaregenerator of chaos-based pseudo random bit sequences, comprising:

[0041] circuit means for storing bit strings representing integernumbers of the pseudo-random sequence;

[0042] a shift register coupled to the circuit means;

[0043] a command circuit generating shift commands for the shiftregister;

[0044] second circuit means for storing the bits output by the shiftregister;

[0045] an adder modulo 2 summing the bits stored in the second circuitmeans, generating a bit of the chaos-based pseudo-random bit sequence;

[0046] a second adder summing up the bit strings currently stored in theshift register and in the first circuit means, generating a bit stringrepresenting a successive number of the pseudo-random sequence.

BRIEF DESCRIPTION OF THE DRAWINGS

[0047] Different aspects and advantages of the invention will appeareven more clearly through the following non-limiting descriptionreferring to the attached drawings, wherein:

[0048]FIG. 1 is a diagram describing in a basic manner a preferredembodiment of the method of the invention for generating chaos-basedpseudo-random bit sequences;

[0049]FIG. 2 is a hardware generator implementing an embodiment of themethod of the invention;

[0050]FIG. 3 is a particular embodiment of a hardware generator of theinvention implementing the method described in FIG. 1 for k=2.

DESCRIPTION OF SEVERAL EMBODIMENTS OF THE INVENTION

[0051] In order to illustrate in a easy manner the gist of theinvention, let us refer to the following sample algorithm for generatinga sequence of (real) numbers X₁, X₂, . . . .

[0052] First of all, a chaotic map is chosen: $\begin{matrix}{x_{n + 1} = {{f( x_{n} )} = {( {\frac{p}{2^{m}} \cdot x_{n}} )\quad {mod}\quad 2^{M}}}} & (1)\end{matrix}$

[0053] where n=0, 1, . . . , x₀ε[0, 2^(m)], p>2^(m), p is an oddinteger. The generic term X_(n) of the sequence is given by

X _(n) =H(x _(n))=sin²(x _(n))   (2)

[0054] Is the sequence X₁, X₂, . . . predictable? In other words,knowing a finite number of elements of this sequence, say X_(j),X_(j+1), . . . , X_(j+k−1), is it possible to predict the previous andthe next elements of the sequence: X_(j−1) and X_(j+k)?

[0055] Let us start our discussion from the simplest case: p=3 and m=1.Using the following well known relations${\sin^{2}( {\frac{3}{2}\alpha} )} = {\frac{1}{2}\lbrack {1 - {\cos ( {3\quad \alpha} )}} \rbrack}$

 cos(3α)=±{square root}{square root over (1−sin²(3α))}

and

sin²(3α)=sin²(α)·[3−4 sin²(α)]²

[0056] we find

(2X _(n+1)−1)² +X _(n)(3−4X _(n))²=1

[0057] It is easy to show that for almost all X_(n) there are 2 equallylikely values for X_(n+1). In a similar way, for almost all X_(n+1)there are 3 equally likely values for X_(n). Furthermore, the number ofpoints X_(i) for which there are less than 2 values of X_(i+1) (or lessthan 3 values of X_(i−1)) is finite.

[0058] This result can be generalized for arbitrary p and m. After asimple algebra we find a functional relation between X_(n) and X_(n+1):

[2 . . . 2((2X _(n+1)−1)²−1)² . . . −1]² +F _(p)(X _(n))=1   (3)

[0059] where the first term in the left-hand side of this equation ispolynomial of order 2^(m) and F_(p) is the p-th order Chebyshev map.Thus, for arbitrary m and almost all x₀, equation (3) has 2^(m)solutions for X_(n+1) when X_(n) is known and p solutions for X_(n) whenX_(n+1) is known. Therefore, for large m and almost all x₀ the sequence{X_(i)}₁ ^(∞) is one-step unpredictable: for any element X_(k) in thesequence {X_(i)}₁ ^(∞) one can only guess with probability ½^(m) (among2^(m) equally distributed values of X_(k+1)) what is next elementX_(k+1) and with probability 1/p (among p equally distributed values ofX_(k−1)) what was the previous element X_(k−1). The set of initialconditions x₀ for which the above statement does not hold is finite.

[0060] What are the properties of the sequence X₁, X₂, . . . ? The mapH(.) in (2) is not a distribution preserving map and thus the outputsequence is not equally distributed. It is possible to avoid thisproblem using, for example, a periodic tent map instead of the sinefunction.

[0061] There are much more serious problems related to the sequence X₁,X₂, . . . : it has been proved that this sequence is 1-stepunpredictable, from which does not follow that the sequence is k-stepunpredictable. In fact, the sequence X₁, X₂, . . . is 3-step predictableas follows from the following analysis.

[0062] Let b_(m) . . . b₁b₀.a₁a₂ . . . be the binary presentation ofxε[0, q], q=2^(m) and x=(b_(m), . . . b₁, b₀; a₁, a₂, . . . ). Let usdefine the functions c(x) and d(x) as c(x)=b_(m) . . . b₁b₀, d(x)=0.a₁a₂. . . . Suppose to know the value of d(r×c mod q), where

cε{0, 1, . . . , q−1}, r=p/q, q=2^(m) , gcd(p, q)=1, p>q

[0063] being gcd(.,.) is the greatest common divider function.

[0064] Is the value of c predictable? Let 0.r⁻¹ . . . r_(−m) and c_(m−1). . . c₁c₀ be the binary presentations of d(r) and c, respectively, andlet 0.a₁a₂ . . . a_(m) be the binary presentation of d(r×c mod q). Giventhat a_(m)=c₀·r_(−m) and r_(−m)=1 (p must be an odd number), it holdsthat c₀=a_(m). Therefore, by knowing the value of a_(m), c₀ can beeasily determined. Furthermore, from the relationa_(m−1)=r_(−m+1)·c₀⊕r_(−m)·c₁ and the previously determined value of c₀it is possible to determine the value of c₁. By repeating thesearguments, the values of all bits c₀, c₁, . . . c_(m) may be computed.

[0065] Proposition 1 Let cε{0, 1, . . . , q−1} and r=p/q, where p>q,gcd(p, q)=1, and q=2^(m). If we know the value of d((r·c)mod q), then wecan uniquely determine the value of c.

[0066] We say that the sequence X₁, X₂, X₃, . . . is k-step predictableif there exist X_(n), X_(n+1), . . . X_(n+k−1) such that knowing themone can predict the values of X_(n−1) or X_(n+k).

[0067] Theorem 2 The sequence X₁, X₂, X₃, . . . is 3-step predictable.

[0068] Proof. It holds that X₁=H(x₁), X₂=H(x₂) and X₃=H(x₃). Letc₁=c(x₁), d₁=d(x₁), c₂=c(x₂) and d₂=d(x₂). According to the firstrelation the value of d₁ is either d₁₁=arcsin({square root}{square rootover (X₁)})ε[0, π/2] or d₁₂=π−d₁₁. Analogously, the value of d₂ iseither d₂₁=arcsin({square root}{square root over (X₂)})ε[0, π/2] ord₂₂=π−d₂₁. Furthermore, x₁ and x₂ are related as x₂=(r·x₁) mod q.Therefore we have

d ₂ =d((r·(c ₁ +d ₁))mod q)=d(d((r·c ₁)mod q)+d((r·d ₁)mod q))   (4)

[0069] Let c₁(i, j) denote the solution of the equation (4×1−6006r4) ifsuch a solution exists. There are at most four possible values of x₁:c₁(1, 1)+d₁₁, c₁(1, 2)+d₁₁, c₁(2, 1)+d₁₂ and c₁(2, 2)+d₁₂. The actualvalue of x₁ can be determined by checking for which of these values, thethird member of the sequence is X₃. Once the value of x₁ is determined,it is easy to compute all subsequent members X₄, X₅, . . . .

[0070] There are several ways to generalize equations (1) and (2).First, f(.) in (1) can be an arbitrary chaotic map defined on [0, q],where q is a large integer. Second, H(.) in (2) can be an arbitrarynon-periodic function H: [0, q]→[0, 1] such that its inverse H⁻¹(.) hasq branches. Third, the proof of the theorem 2 uses the fact that H(.) isa periodic function from [0, q] to [0, 1], but, for example, H(.) can beany periodic function H: [0, q]→C, where C is a finite small set, forexample C={0,1}. Some of these possibilities are examined hereinafter.

[0071] Cryptographically Secure PRNGs

[0072] The construction of cryptographically secure PRBGs of Blum andMicali [8] is based on the assumption that the inverse of a function isa well-defined function but is hard to be computed.

[0073] On the contrary, according to a method of an embodiment of thepresent invention, it is possible to have cryptographically secure PRNGs(and thus cryptographically secure PRBGs) using simple functions H(.)whose inverse is not a well-defined function and has large number ofbranches, although the inverse is easy to compute on a particularbranch. In particular, if the inverse of the function H: [0, q]→C has qbranches, even knowing a value X_(n) of the random number sequence X₁,X₂, . . . , the effectively used value x_(n) such that X_(n)=H(x_(n))may be predicted only with a probability of 1/q, that is x_(n) may beany of the integers of the interval [0, q].

[0074] This approach is much more convenient than the approach of Blumand Micali [8] because the function H(.) may be very simple, and thus itmay be easily implemented for realizing effectively unpredictablesequences of pseudo-random numbers.

[0075] Because of the importance of PRBGs, in the ensuing description,reference will be made to a preferred embodiment of the invention forgenerating a pseudo-random sequence of bits, but what will be statedcould be easily repeated, mutatis mutandis, for generators of sequencesof pseudo-random numbers.

[0076] A class of pseudo random bit generators are designed that useonly binary operations and may be implemented as a fast algorithm. Tokeep the connection with the previous description as close as possible,we slightly alter the notation and write X_(j) for the output sequenceof bits.

[0077] Let b_(M) . . . b₁b₀.a₁a₂ . . . be the binary representation ofxεI=[0, 2^(M)] and x=(b_(M), . . . , b₁, b₀; a₁, a₂, . . . ). Let usdefine a set

I ^((k)) ={x|x=(b _(M) , . . . , b ₀ ; a ₁ , a ₂ , . . . , a _(k))}

[0078] as a set of truncated real numbers in I. Let trunc_(k): I→I^((k))and H: I^((k))→{0, 1} be two functions defined as follows:

trunc _(k)(x)=(b _(M) , . . . , b ₀ ;a ₁ , a ₂ , . . . , a _(k))   (5)

and

H(x)=a ₁ ⊕a ₂ ⊕ . . . ⊕a _(k)   (6)

[0079] The seed of the generator is the string of 0s and 1s of lengthM+k+1, which is written in the form x₀=(b_(M), . . . , b₀; a₁, . . . ,a_(k)). The output of the generator is a sequence of bits X₁, X₂, . . .produced as described hereinbelow.

[0080] Two sample pseudo-random bit generators are presented. In thefirst case the next bit is generated as: $\begin{matrix}{x_{i + 1} = {{trunc}_{k}( {{\frac{p}{2^{m}} \cdot x_{i}}\quad {mod}\quad 2^{M}} )}} & (7)\end{matrix}$

 X _(i+1) =H(x _(i+1))   (8)

[0081] In the second case, the bit X_(i) has been produced. The next bitis generated as:

y_(i)=x_(i)⊕X_(i)   (9) $\begin{matrix}{x_{i + 1} = {{trunc}_{k}( {{\frac{p}{2^{m}} \cdot y_{i}}\quad {mod}\quad 2^{M}} )}} & (10)\end{matrix}$

 X _(i+1) =H(x_(i+1))   (11)

[0082] In the above equations i=0, 1, 2 . . . , p, m, M, k are theparameters of the generator, X₀=0 and

x _(i) ⊕X _(i)=(α₁, α₂, . . . )⊕β=(α₁⊕β, α₂⊕β, . . . )

[0083] Equations (7) and (10) are discrete version of (1). An additionalparameter M has been introduced to make the algorithm more flexible: mcan be an arbitrary integer, while 2^(M) is preferably a large number.The output of the generator is given by (8) or (11): instead of the sinefunction, a periodic function H defined by (6) is used. Finally, with(9) the initial point (seed) of the generator is changed in eachiteration. The parameters of the generator have the followingconstraints: p is an arbitrary odd integer such that p>2^(m), M is aninteger such that M≧64, M>>m, m and k are arbitrary integers.

[0084] Simple arguments (not a proof) for an elementary explanation ofthe unpredictability of the generator are given. The next bit X_(i+1) ofthe generator (or the previous bit X_(i−1)) may be determined only ifall bits of x_(i) are known, which is however, not possible: x_(i) hasthe form x_(i)=(c_(M), . . . , c₀; d₁, . . . C_(k)) and one can onlyguess the value of X_(i) among 2^(M) equally distributed values.Moreover, it has been numerically verified that the probabilityp(X_(j)|X_(j−1)X_(j−2) . . . ) does not depend on the previous generatedbits and is equal approximately to 0.5.

[0085] Let G={G_(n), n≧1} be an ensemble of generators, with G_(n):{0,1}^(n)→{0,1}^(p(n)), where p(*) is a polynomial satisfyingn+1≦p(n)≦n^(c)+c for some fixed integer c. It is well known that: if acryptographically secure PRBG with p(n)=n+1 exists, then there is acryptographically secure PRNG with p(n)=n^(c)+c for each c≧2. Therefore,using all above arguments it is possible to conclude that the presentedbit generators are cryptographically secure.

[0086] By defining p, m, M and k a particular pseudo-random numbergenerator can be realized. Two examples are presented.

EXAMPLE 1

[0087] The generator is defined by equations (7) and (8). The parametersof the pseudo-random number generator are: p=5, m=2, M=256 and k=2.

EXAMPLE 2

[0088] The generator is defined with equations (9), (10) and (11). Theparameters are: p=419, m=8, M=64 and k=64.

[0089] Statistical tests cannot prove that a sequence is random, testscan only show that a sequence is not random. In other words, tests helponly to detect certain kinds of weaknesses a generator may have. If asequence passes a finite number of statistical tests, it is notguaranteed that the sequence was indeed generated by a (truly) randomnumber generator.

[0090] Five standard tests, commonly used for determining whether abinary sequence has some properties that a truly random sequence wouldbe likely to exhibit, are [1]: frequency test, serial test, poker test,runs test, and autocorrelation test. Linear congruential generators passstandard tests. An additional package of tests was proposed in [18] forwhich standard random number generators (congruential, shift-registerand lagged-Fibonacci generators) give poor results.

[0091] All these tests to the generators described in the previoussection have been performed and the results are summarized in thefollowing table. TABLE 1 PRNG1 PRNG2 PRNG3 Birthday Spacings FAIL passpass Overlapping 5-permutation FAIL pass pass Binary rank for 31 × 31matrices FAIL pass pass Binary rank for 32 × 32 matrices FAIL pass passBinary rank for 6 × 8 matrices FAIL pass pass Bistream FAIL pass passOPSO FAIL pass pass OQSO FAIL pass pass DNA FAIL pass pass Count-the-1'son a stream of FAIL pass pass bytes Count-the-1's for specific bytesFAIL pass pass Parking lot FAIL pass pass Minimum distance FAIL passpass 3DSpheres FAIL pass pass Squeeze FAIL pass pass Overlapping sumspass pass pass Runs pass pass pass Craps FAIL pass pass

[0092] PRNG1 is a linear congruential generator with a=84589, b=45989,and m=217728. The values of the parameters are taken from [19]; weobtain similar results with different values for a, b and m. PRNG2 andPRNG3 are generators from Examples 1 and 2.

Description of a Hardware Generator According to an Embodiment of theInvention

[0093] Once the parameters p, m, k and M of equations 7 and 8 (or ofequations 9, 10 and 11) are fixed, a hardware Pseudo Random BitGenerator may be easily and efficiently implemented.

[0094] Following Example 1 (PRNG2), we take p=5, m=2, k=2 and M=256. Nowx_(i)=b+a, where (in base 2) b=b_(M) . . . b₁b₀ and a=0.a₁a₂, and$\frac{p}{2^{m}} = {1 + {\frac{1}{2^{2}}.}}$

[0095] Then$( {\frac{p}{2^{m}} \cdot x_{i}} )\quad {mod}\quad 2^{M}$

[0096] can be rewritten as$( {b + {\frac{1}{2^{2}}b} + a + {\frac{1}{2^{2}}a}} )\quad {mod}\quad 2^{M}$

[0097] The term $\frac{1}{2^{2}}b$

[0098] can be obtained by shifting b by 2 bits towards right$( {{i.e.},{{\frac{1}{2^{2}}b} = {00b_{M}\quad \ldots \quad b_{3}{b_{2} \cdot b_{1}}b_{0}}}} ).$

[0099] Moreover, since the term $\frac{1}{2^{2}}a$

[0100] is less than ${\frac{1}{2^{2}}b},$

[0101] it is immaterial with respect to the truncation operation trunc₂and we can omit it. At last, the mod 2^(M) operation is simply obtainedby discarding the overflow of the M bit summation. Therefore, thequantity${trunc}_{k}( {( {\frac{p}{2^{m}} \cdot x_{i}} ){mod2}^{M}} )$

[0102] is substantially the sum between the two bit strings b_(M) . . .b₃b₂b₁b₀.a₁a₂+00b_(M) . . . b₃b₂.b₁b₀.

[0103] Summing up, the operations involved in the PRNG2 are bit shift,bit sum and XOR (while, for examples, Micali-Blum generator uses poweroperators and Blum-Blum-Shub generator uses product). FIG. 1 depicts theapplication of the equations (7) and (8) at the generic i-th step.

[0104] In the above mentioned figure, the array of bit b′_(M) . . .b′₀.a′₁a′₂ indicates the result of the sum between b_(M) . . .b₃b₂b₁b₀.a₁a₂ and 00b_(M) . . . b₃b₂.b₁b₀ and is stored in a temporarybuffer for (the base 2 representation of) x_(i+1). At the subsequent(i+1 )th step, the content of this buffer shall be overwritten on thebits b_(M) . . . b₃b₂b₁b₀.a₁a₂.

[0105] A basic realization of a hardware generator of a chaos-basedpseudo-random bit sequence of the invention is depicted in FIG. 2. Itcomprises a first memory buffer MEM in which storing bit stringsrepresenting integer numbers x_(n) of the PRN sequence, a shift registerR1 driven by a command circuit, a second memory buffer R2 storing thebits output by the shift register R1, a first adder ADD1 modulo 2 and asecond adder ADD2.

[0106] Preliminarily, a seed x₀ is stored in the memory buffer MEM; thenthe desired bit sequence X_(n) is generated by repeating cyclically thefollowing steps:

[0107] the content of the first buffer is copied in the shift registerR1;

[0108] the command circuit provides a certain number k of shift commandsto the shift register R1, which outputs the k least significant bits ofthe string representing the number x_(n);

[0109] the bits output by the shift register are stored in the secondbuffer R2 and are summed by the first adder modulo 2 ADD1, generating abit X_(n) of the chaos-based pseudo-random bit sequence;

[0110] the second adder ADD2 sums the bit strings currently stored inthe shift register and in the memory MEM, generating a bit stringrepresenting a successive number x_(n+1) of the pseudo-random sequencewhich is stored in the first buffer MEM.

[0111] The hardware generator of FIG. 2 may be used whatever the numberk is.

[0112] A simpler embodiment of a hardware generator according to anembodiment of the invention, especially designed for implementing themethod for k=2, is depicted in FIG. 3. Differently from the generator ofFIG. 2, the register R2 is not present and R1 can be a register of anykind.

[0113] Initially, the memory buffer MEM is loaded with a seed x₀, thenaccording to the embodiment of the method of the invention described inFIG. 1 the following operations are carried out:

[0114] copying in the register R1 a bit string stored in the memorybuffer MEM representing a current number x_(n) of the pseudo-randomsequence,

[0115] generating a bit X_(n) of chaos-based pseudo-random bit sequenceby summing modulo 2 (XORing) the two (k=2) least significant bits of thebit string stored in the register R1,

[0116] generating a bit string representing a successive number x_(n+1)of the pseudo-random sequence by summing up the bit string representingthe current number x_(n) and the bit string obtained eliminating the twoleast significant bits of the bit string stored in the register R1,

[0117] storing in the memory buffer MEM the bit string representing thesuccessive number x_(n+1).

[0118] As it will be apparent to the skilled practitioner, once thegenerator of FIG. 3 has been realized, it cannot be used for any valueof k≠2, because it would be necessary to change the connections betweenthe register R1 and the cascade of adding gates [+] that constitute theadder modulo 2 ADD2.

[0119] From the foregoing it will be appreciated that, although specificembodiments of the invention have been described herein for purposes ofillustration, various modifications may be made without deviating fromthe spirit and scope of the invention.

[0120] References

[0121] [1] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook ofApplied Cryptography, CRC Press, 1997.

[0122] [2] L. Kocarev, G. Jakimoski, G. Rizzotto, and P. Amato,“Chaos-based data protection using time-discrete dynamical systems”,European Patent Application n.01 130846.7, 27 Dec. 2001.

[0123] [3] R. A. J. Matthews, “On the Derivation of a ‘Chaotic’Encryption Algorithm”, Cryptologia, vol.13, pp. 29-42 (1989); D. D.Wheeler, “Problems with Chaotic Cryptosystems”, Cryptologia, vol. 13,pp. 243-250, (1989); D. D. Wheeler and R. A. J. Matthews, “SupercomputerInvestigations of a Chaotic Encryption Algorithm”, Cryptologia, vol.15,no. 2, pp.140-152 (1991).

[0124] [4] T. Kohda and A. Tsuneda, “Statistics of Chaotic BinarySequences,” IEEE Trans. on Information Theory, 43, pp.104-112 (1997).

[0125] [5] O. Goldreich, “Modern Cryptography, Probabilistic Proofs andPseudorandomness,” Springer-Verlag, Algorithms and Combinatorics, Vol17, (1998).

[0126] [6] F. Italia, L. Kocarev, M. Porto, G. Rizzotto and T.Stojanovski, “Chaos Based Random Number Generators”, European PatentApplication n.01 830764.5, 13 Dec. 2001.

[0127] [7] A. Yao, “Theory and applications of trapdoor functions,” IEEE23rd Symposium on Foundations of Computer Science, pp. 80-91 (1982).

[0128] [8] M. Blum and S. Micali, “How to generate cryptographicallystorng sequences of pseudorandom bits,” IEEE 23rd Symposium onFoundations of Computer Science, pp.112-117 (1982).

[0129] [9] W. Alexi, B. Chor, O. Goldreich, and C. P. Schnorr,“RSA/Rabin bits are$\frac{1}{2} + \frac{1}{{poly}\quad ( {\log \quad n} )}$

[0130] secure, “IEEE 25th Symposium on Foundations of Computer Science,pp. 449-457 (1987).

[0131] [10] L. Blum, M. Blum, and M. Shub, “A Simple UnpredictablePseudo-Random Number Generator,” SIAM J. Comput., 15, pp. 364-383(1986).

[0132] [11] D. E. Knuth, The Art of Computer Programming—SeminumericalAlgorithms, vol. 2, Reading, Mass.: Addison-Wesley Pub. Co., (1981).

[0133] [12] J. B. Plumstead, “Inferring a sequence generated by a linearcongurence,” IEEE 23rd Symposium on Foundations of Computer Science,pp.153-159 (1982).

[0134] [13] J. Boyar, “Inferring sequences produces by pseudo-randomnumber generators,” Journal of the Association of Computing Machinery,36, pp.129-142 (1989).

[0135] [14] H. Krawczyk, “How to predict congurential generators,”Journal of Algorithms, 13, pp. 527-545 (1992).

[0136] [15] A. M. Frieze, J. Hastad, R. Kannan, J. C. Lagarias, and S.Shamir, “Reconstructing truncated integer variables satisfying linearcongruences,” SIAM Journal of Computing, 17, pp. 262-280 (1988).

[0137] [16] J. Stern, “Secret linear congruential generators are notcryptographically secure,” IEEE 28th Symposium on Foundations ofComputer Science, pp. 421-426 (1987).

[0138] [17] J. Boyar, “Inferring sequences produces by a linearcongruential generator missing low-order bits,” Journal of Cryptology,1, pp.177-184 (1989).

[0139] [18] http:H/stat.fsu.edu/geo/diehard.html

[0140] [19] B. Schneier, Applied cryptography: protocols, algorithms,and source code in C, 2nd Ed. New York: John Wiley&Sons, 1996.

What is claimed is:
 1. A method for generating a chaos-basedpseudo-random sequence (X_(n)) comprising the steps of: defining achaotic map for generating a pseudo-random sequence of integer numbers(x_(n)) comprised in a certain interval ([0, q]); defining a function(H(x)) on said first interval (xε[0, q]) whose inverse has a pluralityof branches; choosing a seed (x₀) of said pseudo-random sequence ofinteger numbers (x_(n)) comprised in said interval ([0, q]); generatingnumbers of said pseudo-random sequence (x_(n)); calculating numbers of achaos-based pseudo-random sequence (x_(n)) by applying said function(H(x)) to corresponding integer numbers of said pseudo-random sequence(x_(n)).
 2. The method of claim 1, wherein the inverse of said function(H(x)) has a number of branches equal to the largest bound (q) of saidinterval ([0, q]).
 3. The method of claim 1, wherein said chaotic map isa linear congruential generator.
 4. The method of claim 3, wherein saidlinear congruential generator is defined by: choosing a first integernumber (m); choosing a second odd integer number (p) greater than thepower of 2 raised to said first integer number (2^(m)); choosing a thirdinteger number (M) much greater than said first integer number (m); saidchaotic map being defined by the following equation:$x_{n + 1} = {( {\frac{p}{2^{m}} \cdot x_{n}} )\quad {mod}\quad {2^{\quad M}.}}$


5. The method of claim 1, wherein defining said function (H(x))comprises defining (H(x)) such that it may assume only two values({0,1}).
 6. The method of claim 5, comprising the steps of: representingin binary form said integer numbers (x_(n)) of said pseudo-randomsequence; defining a second integer number k; defining said function(H(x)) as the binary sum of the k least significant bits of the binaryrepresentation of its argument (x).
 7. The method of claim 5, whereinsaid chaotic map is a truncated linear congruential generator.
 8. Themethod of claim 7, wherein said truncated linear congruential generatoris defined by: choosing a first integer number (m); choosing a secondodd integer number (p) greater than the power of 2 raised to said firstinteger number (2^(M)); choosing a third integer number (M) much greaterthan said first integer number (m); said chaotic map being defined bythe following equation:$x_{n + 1} = {{{trunc}_{k}( {( {\frac{p}{2^{m}} \cdot x_{n}} )\quad {mod}\quad 2^{\quad M}} )}.}$


9. The method of claim 7, wherein said linear congruential generator isdefined by: choosing a first integer number (m); choosing a second oddinteger number (p) greater than the power of 2 raised to said firstinteger number (2^(m)); choosing a third integer number (M) much greaterthan said first integer number (m); said chaotic map being defined bythe following equations: $\quad\{ \begin{matrix}{y_{n} = {x_{n} \oplus X_{n}}} \\{x_{n + 1} = {{trunc}_{k}( {( {\frac{p}{2^{m}} \cdot y_{n}} )\quad {mod}\quad 2^{\quad M}} )}}\end{matrix} $


10. The method according to claim 4 wherein said third integer number(M) is greater than or equal to
 64. 11. The method of claim 6,comprising the steps of: providing circuit means (MEM) for storing bitstrings representing integer numbers (x_(n)) of said pseudo-randomsequence; providing a shift register (R1) coupled to said circuit means(MEM); storing a seed (x₀) in said circuit means (MEM); carrying outcyclically the following operations: copying in said shift register (R1)a bit string stored in the circuit means (MEM) representing a currentnumber (x_(n)) of said pseudo-random sequence, providing k shiftcommands to said shift register (R1), generating a bit (X_(n)) of saidchaos-based pseudo-random bit sequence by summing modulo 2 the k bitsoutput by said shift register (R1), generating a bit string representinga successive number (x_(n+1)) of said pseudo-random sequence by summingup the bit string currently stored in said shift register (R1) and thebit string representing said current number (x_(n)), storing in thecircuit means (MEM) the bit string representing said successive number(x_(n+1)).
 12. The method of claim 6, comprising the steps of: providingcircuit means (MEM) for storing bit strings representing integer numbers(x_(n)) of said pseudo-random sequence; providing a register (R1)coupled to said circuit means (MEM); storing a seed (x₀) in said circuitmeans (MEM); carrying out cyclically the following operations: copyingin said register (R1) a bit string stored in the circuit means (MEM)representing a current number (x_(n)) of said pseudo-random sequence,generating a bit (X_(n)) of said chaos-based pseudo-random bit sequenceby summing modulo 2 the k least significant bits of the bit stringstored in said register (R1), generating a bit string representing asuccessive number (x_(n+1)) of said pseudo-random sequence by summing upthe bit string representing said current number (x_(n)) and the bitstring obtained eliminating the k least significant bits of the bitstring stored in said register (R1), storing in the circuit means (MEM)the bit string representing said successive number (x_(n+1)).
 13. Agenerator of chaos-based pseudo random bit sequences, comprising:circuit means (MEM) for storing bit strings representing integer numbers(x_(n)) of said pseudo-random sequence; a register (R1) coupled to saidcircuit means (MEM); an adder modulo 2 (XOR) summing the k leastsignificant bits of the of the bit string stored in said register (R1),generating a bit (X_(n)) of said chaos-based pseudo-random bit sequence;and a second adder (ADD2) summing up the bit string representing saidcurrent number (x_(n)) and the bit string obtained eliminating the kleast significant bits of the bit string stored in said register (R1).14. A generator of chaos-based pseudo random bit sequences, comprising:circuit means (MEM) for storing bit strings representing integer numbers(x_(n)) of said pseudo-random sequence; a shift register (R1) coupled tosaid circuit means (MEM); a command circuit (CONTROL) generating shiftcommands for said shift register (R1); second circuit means (R2) forstoring the bits output by said shift register (R1); an adder modulo 2(ADD1) summing the bits stored in said second circuit means (R2),generating a bit (X_(n)) of said chaos-based pseudo-random bit sequence;a second adder (ADD2) summing up the bit strings currently stored insaid shift register (R1) and in said first circuit means (MEM),generating a bit string representing a successive number (x_(n+1)) ofsaid pseudo-random sequence.